🔥 3-day streak
Professional Security Operations Engineer101 / 241
Question 101 of 241
During an active incident, a Google SecOps SOAR playbook is triggered by a high-severity alert indicating credential misuse from a workstation. The playbook is designed to automatically isolate the source host via the EDR integration. However, the enrichment step reveals the source IP maps to a shared jump server used by dozens of administrators for legitimate remote access, and there is no maintenance window active. What is the MOST appropriate playbook design decision to handle this situation?
Reviewed for accuracy · Report an issueNext question